{
	"id": "9921a3e6-772f-4f37-af15-50653d846e62",
	"created_at": "2026-04-06T00:12:52.033816Z",
	"updated_at": "2026-04-10T13:12:05.958532Z",
	"deleted_at": null,
	"sha1_hash": "8129e6ae6754e36eb3e0e3962d63ef5b1ca98891",
	"title": "SmokeLoader Detection: UAC-0006 Group Launches a New Phishing Campaign Against Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 147094,
	"plain_text": "SmokeLoader Detection: UAC-0006 Group Launches a New\r\nPhishing Campaign Against Ukraine\r\nBy Veronika Zahorulko\r\nPublished: 2023-07-13 · Archived: 2026-04-02 11:36:03 UTC\r\nHeads up! Cyber defenders are notified of a new wave of phishing attacks leveraging the invoice-relate email\r\nsubjects with the infection chain triggered by opening a malicious VBS file, which leads to spreading\r\nSmokeLoader malware on the affected devices. According to the investigation, the malicious activity can be\r\nattributed to the financially-motivated UAC-0006 hacking gang which was observed in earlier attacks against\r\nUkraine also using the same malicious strains and the phishing attack vector. \r\nAnalysis of UAC-0006 Offensive Operations Spreading SmokeLoader Malware\r\nSlightly more than one month after phishing attacks by UAC-0006 financially-motivated hackers targeting\r\nUkraine, CERT-UA researchers revealed another campaign abusing financial subject lures and also distributing\r\nSmokeLoader malware. Hackers massively spread emails with invoice-related subjects and attachments that\r\ncontain a VBS file intended to install and run SmokeLoader malware on the impacted devices. \r\nIn this campaign covered in the novel CERT-UA#6999 alert, the malware configuration file contains 45 domain\r\nnames, 5 of which use the A record and are linked to the russian provider. To maintain persistence, the malware\r\niteration used in these attacks is capable of defining the current A records for domain names by connecting to the\r\ncorresponding DNS server. UAC-0006 adversaries apply the compromised email accounts similarly to their\r\nbehavior patterns observed in the previous campaigns against Ukraine.\r\nAs potential mitigation measures, defenders recommend restricting the use of Windows Script Host and\r\nPowerShell to minimize the threat. \r\nDetecting UAC-0006 Activity Covered in the CERT-UA#6999 Alert\r\nThe increasing volumes of offensive operations linked to UAC-0006 require ultra-responsiveness from cyber\r\ndefenders to timely thwart the related attacks. SOC Prime Platform for collective cyber defense delivers curated\r\nSigma rules to help organizations proactively defend against the group’s attacks massively distributing\r\nSmokeLoader and timely identify relevant adversary TTPs. \r\nHit the Explore Detections button below to obtain the entire list of Sigma rules for UAC-0006 attack detection\r\nmentioned in the CERT-UA#6999 alert. To accelerate the SOC content search, apply the relevant tags “UAC-0006” or “CERT-UA#6999”. All detection algorithms are enhanced by cyber threat context and can be\r\nautomatically converted to dozens of language formats in use. \r\nExplore Detections\r\nhttps://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/\r\nPage 1 of 2\n\nSecurity engineers can also leverage Uncoder AI to instantly hunt for IOC listed in the CERT-UA#6999 alert by\r\ncreating custom IOC queries and running them in the selected environment on the fly. \r\nMITRE ATT\u0026CK Context\r\nCyber defenders can also gain insights into the context behind phishing attacks by UAC-0006 in more detail by\r\nexploring the table below, which provides the list of relevant adversary tactics and techniques as per ATT\u0026CK:\r\nSource: https://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/\r\nhttps://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/"
	],
	"report_names": [
		"smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine"
	],
	"threat_actors": [
		{
			"id": "078f7b2a-4e1c-4843-b7cd-353331cd2260",
			"created_at": "2023-11-21T02:00:07.359148Z",
			"updated_at": "2026-04-10T02:00:03.467054Z",
			"deleted_at": null,
			"main_name": "UAC-0006",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0006",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434372,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8129e6ae6754e36eb3e0e3962d63ef5b1ca98891.pdf",
		"text": "https://archive.orkl.eu/8129e6ae6754e36eb3e0e3962d63ef5b1ca98891.txt",
		"img": "https://archive.orkl.eu/8129e6ae6754e36eb3e0e3962d63ef5b1ca98891.jpg"
	}
}